8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: SessionRequestHandler.java,v 1.9 2009/04/02 04:11:44 ericow Exp $
c64331fa7c7a38e49ed3b4194ccdffd41af0ff02Peter Major * Portions Copyrighted 2011-2016 ForgeRock AS.
6c56bf78246f18c9c14c17ef3ed65065ce178ffdTom Rumseyimport static org.forgerock.openam.audit.AuditConstants.Component.*;
6c56bf78246f18c9c14c17ef3ed65065ce178ffdTom Rumseyimport static org.forgerock.openam.session.SessionConstants.*;
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshottimport javax.servlet.http.HttpServletRequest;
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshottimport javax.servlet.http.HttpServletResponse;
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshottimport org.forgerock.guice.core.InjectorHolder;
32b36b012d0b3ab28eecb13555b3925237c2c5a9Peter Majorimport org.forgerock.openam.dpro.session.InvalidSessionIdException;
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshottimport org.forgerock.openam.session.SessionCache;
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshottimport org.forgerock.openam.session.SessionPLLSender;
a9e7fd62c12d542e82bc74c4e395b9b090fc1117Tom Rumseyimport org.forgerock.openam.session.service.access.SessionQueryManager;
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Maddenimport org.forgerock.openam.sso.providers.stateless.StatelessSessionManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.dpro.session.SessionException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.dpro.session.share.SessionBundle;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.dpro.session.share.SessionInfo;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.dpro.session.share.SessionRequest;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.dpro.session.share.SessionResponse;
1d407e39b7d8f68d9a2b1e178f35fab037d9835aRobert Wapshottimport com.iplanet.services.comm.server.PLLAuditor;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.services.comm.server.RequestHandler;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.services.comm.share.Response;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.services.comm.share.ResponseSet;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.session.util.RestrictedTokenAction;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.session.util.RestrictedTokenContext;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.session.util.SessionUtils;
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * Responsible for processing a PLL request and routing it to the appropriate handler which will respond to the caller
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * the results of the operation.
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * The operations available from this handler split into two broad categories:
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * In the first group, the request is targeting either all LOCAL sessions or a single local session identified by another
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * request parameter. The session ID in this case is only used to authenticate the operation. That session is not
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * expected to be local to this server (although it might). These operations are:
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * <li>GetValidSessions</li>
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * <li>GetSessionCount</li>
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * In the second group, the request is targeting a single session identified by a session ID, which is supposed to be
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * hosted by this server instance. The session ID is used both as an id for the target session and to authenticate the
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * operation (i.e. operations are performed on the callers own session). The operations in this group are:
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * <li>GetSession</li>
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * <li>Logout</li>
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * <li>AddSessionListener</li>
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * <li>SetProperty</li>
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * <li>DestroySession</li>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class SessionRequestHandler implements RequestHandler {
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott private final SessionService sessionService;
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden private final StatelessSessionManager statelessSessionManager;
a9e7fd62c12d542e82bc74c4e395b9b090fc1117Tom Rumsey private final SessionQueryManager sessionQueryManager;
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott private static final SessionCache sessionCache = InjectorHolder.getInstance(SessionCache.class);
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott private static final SessionPLLSender sessionPLLSender = InjectorHolder.getInstance(SessionPLLSender.class);
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott sessionService = InjectorHolder.getInstance(SessionService.class);
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott sessionDebug = InjectorHolder.getInstance(Key.get(Debug.class, Names.named(SESSION_DEBUG)));
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden statelessSessionManager = InjectorHolder.getInstance(StatelessSessionManager.class);
a9e7fd62c12d542e82bc74c4e395b9b090fc1117Tom Rumsey sessionQueryManager = InjectorHolder.getInstance(SessionQueryManager.class);
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshott * Understands how to resolve a Token based on its SessionID.
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshott * Stateless Sessions by their very nature do not need to be stored in memory, and so
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshott * can be resolved in a different way to Stateful Sessions.
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshott * @param sessionID Non null Session ID.
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshott * @return Null if no matching Session could be found, otherwise a non null
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshott * Session instance.
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshott * @throws SessionException If there was an error resolving the Session.
c6c8bcf74a1e796c167156af1cc1a5d95c67aceaRobert Wapshott private Session resolveSession(SessionID sessionID) throws SessionException {
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden if (statelessSessionManager.containsJwt(sessionID)) {
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden return statelessSessionManager.generate(sessionID);
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell public ResponseSet process(PLLAuditor auditor,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResponseSet rset = new ResponseSet(SessionService.SESSION_SERVICE);
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey Response res = processRequest(auditor, req, servletRequest);
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell final SessionRequest sreq = SessionRequest.parseXML(req.getContent());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SessionResponse sres = new SessionResponse(sreq.getRequestID(), sreq.getMethodID());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // use remote client IP as default RestrictedToken context
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell context = SessionUtils.getClientAddress(servletRequest);
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey sessionDebug.error("SessionRequestHandler encountered exception", ex);
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell return auditedExceptionResponse(auditor, sres);
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell context = RestrictedTokenContext.unmarshal(requester);
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell SSOTokenManager ssoTokenManager = SSOTokenManager.getInstance();
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell if (!ssoTokenManager.isValidToken(adminToken)) {
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell sres.setException(SessionBundle.getString("appTokenInvalid") + requester);
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell return auditedExceptionResponse(auditor, sres);
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell "SessionRequestHandler.processRequest:"
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell + "app token invalid, sending Session response"
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell +" with Exception");
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell sres.setException(SessionBundle.getString("appTokenInvalid") + requester);
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell return auditedExceptionResponse(auditor, sres);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sres = (SessionResponse) RestrictedTokenContext.doUsing(context,
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey sessionDebug.message("processSessionRequest caught exception: {}", se.getMessage(), se);
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey return handleException(sreq, new SessionID(sreq.getSessionID()), se.getMessage());
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey sessionDebug.message("processSessionRequest caught exception: {}", se.getResponseMessage(), se);
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey return handleException(sreq, se.getSid(), se.getResponseMessage());
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey sessionDebug.error("SessionRequestHandler encountered exception", ex);
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell auditor.auditAccessFailure(sres.getException());
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell private Response auditedExceptionResponse(PLLAuditor auditor, SessionResponse sres) {
786bac66d599daf6355e45e64da84c846a857552Craig McDonnell auditor.auditAccessFailure(sres.getException());
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey private SessionResponse processSessionRequest(PLLAuditor auditor, SessionRequest req) throws SessionException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SessionID sid = new SessionID(req.getSessionID());
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey // Log the access attempt without session properties, then continue.
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey private void verifyRequestingSessionIsNotRestrictedToken(Session requesterSession)
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey throws SessionException, SessionRequestException {
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey if (requesterSession.getProperty(TOKEN_RESTRICTION_PROP) != null) {
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey throw new SessionRequestException(requesterSession.getSessionID(), SessionBundle.getString("noPrivilege"));
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey private void verifyValidRequest(SessionRequest req, Session requesterSession) throws SessionException,
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey SessionID targetSid = requesterSession.getSessionID();
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey if (req.getMethodID() == SessionRequest.DestroySession) {
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey targetSid = new SessionID(req.getDestroySessionID());
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey verifyRequestingSessionIsNotRestrictedToken(requesterSession);
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey } else if (req.getMethodID() == SessionRequest.SetProperty) {
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey sessionDebug.warning("SessionRequestHandler.processRequest: Client does not have permission to set"
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey + " : property value = " + req.getPropertyValue());
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey throw new SessionRequestException(requesterSession.getSessionID(), SessionBundle.getString("noPrivilege"));
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey verifyRequestingSessionIsNotRestrictedToken(requesterSession);
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey throw new SessionRequestException(requesterSession.getSessionID(), SessionBundle.getString("unknownRequestMethod"));
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * Verify that this server is the correct host for the session and the session can be found(or recovered) locally.
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * This function will become much simpler with removal of home servers, or possibly no longer be required.
aa9422005d747789faacd4064a4d42c58014a41cTom Rumsey private void verifyTargetSessionExists(SessionID sid) throws SessionException, SessionRequestException {
a90aba9cbcbb8e7fe95e45590d853959efe0d354Tom Rumsey throw new SessionRequestException(sid, SessionBundle.getString("sessionNotObtained"));
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * Request method-specific processing
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey private SessionResponse processMethod(SessionRequest req, Session requesterSession) throws SessionException {
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey SessionResponse res = new SessionResponse(req.getRequestID(), req.getMethodID());
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden if (statelessSessionManager.containsJwt(requesterSession.getSessionID())) {
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey // We need to validate the session before creating the sessioninfo to ensure that the
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey // stateless session hasn't timed out yet, and hasn't been blacklisted either.
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey SSOTokenManager tokenManager = SSOTokenManager.getInstance();
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey final SSOToken statelessToken = tokenManager.createSSOToken(req.getSessionID());
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey if (!tokenManager.isValidToken(statelessToken)) {
32b36b012d0b3ab28eecb13555b3925237c2c5a9Peter Major throw new InvalidSessionIdException(req.getSessionID());
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey res.addSessionInfo(sessionService.getSessionInfo(requesterSession.getSessionID(), req.getResetFlag()));
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey return handleException(req, requesterSession.getSessionID(), SessionBundle.getString("invalidSessionID"));
bf2a56fd7e5b3bb37378e87e32829a01402d27f0Tom Rumsey SearchResults<SessionInfo> infoSearchResults = sessionService.getValidSessions(requesterSession, pattern);
bf2a56fd7e5b3bb37378e87e32829a01402d27f0Tom Rumsey List<SessionInfo> sessionInfo = new ArrayList<>();
bf2a56fd7e5b3bb37378e87e32829a01402d27f0Tom Rumsey sessionInfo.addAll(infoSearchResults.getSearchResults());
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey sessionService.destroySession(requesterSession, new SessionID(req.getDestroySessionID()));
fc8409d20f991d53ac0c4708efa04c121b73c449Tom Rumsey sessionService.addSessionListener(requesterSession, req.getNotificationURL());
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey sessionService.setExternalProperty(this.clientToken, requesterSession.getSessionID(), req.getPropertyName(), req.getPropertyValue());
a9e7fd62c12d542e82bc74c4e395b9b090fc1117Tom Rumsey Map sessions = sessionQueryManager.getAllSessionsByUUID(uuid);
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey return handleException(req, requesterSession.getSessionID(), SessionBundle.getString("unknownRequestMethod"));
d552ef9965b495ec6fa5f89b12ad638ad4cc87f4Tony Bamford private void auditAccessAttempt(PLLAuditor auditor, Session session) {
d552ef9965b495ec6fa5f89b12ad638ad4cc87f4Tony Bamford auditor.setTrackingId(session.getProperty(Constants.AM_CTX_ID));
d552ef9965b495ec6fa5f89b12ad638ad4cc87f4Tony Bamford auditor.setRealm(session.getProperty(Constants.ORGANIZATION));
d552ef9965b495ec6fa5f89b12ad638ad4cc87f4Tony Bamford // Don't audit with session information.
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * !!!!! IMPORTANT !!!!! DO NOT REMOVE "sid" FROM
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * EXCEPTIONMESSAGE Logic kludge in legacy Agent 2.0
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * code will break If it can not find SID value in
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * the exception message returned by Session
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * Service. This dependency should be eventually
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * removed once we migrate customers to a newer
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * agent code base or switch to a new version of
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey * Session Service interface
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey private SessionResponse handleException(SessionRequest req, SessionID sid, String error) {
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey SessionResponse response = new SessionResponse(req.getRequestID(), req.getMethodID());
a19a421277791c670d5a4ebcd6d7af7de159d271Tom Rumsey private class SessionRequestException extends Exception {